The rush to adopt cloud computing has driven one of the most prevalent technology and paradigm shifts today. A paradigm shift that can be summed up in one phrase – the increased use of Infrastructure-as-Code (IaC). Traditional legacy IT environments required physically setting up and configuring hardware and infrastructure through manual processes. With the advent of cloud computing and the growth of IaC, organizations are now provisioning IT infrastructure through machine-readable files, which can be templatized, reusable and portable. There are many flavors, whether you’re dealing with Cloud Service Provider (CSP) native options such as Amazon Web Services (AWS)’s CloudFormation or Microsoft Azure’s ARM templates and blueprints. That said, your choices aren’t limited to CSP-native options, and there are vendor agnostic options as well, the most popular being Terraform by HashiCorp.
This paradigm shift hasn’t only transformed infrastructure and operations of IT environments but is also bringing many security benefits as well. Much like the manual activities of provisioning infrastructure in the days of legacy IT environments, security traditionally has handled IT security policies in a manual “paper” based fashion. This generally included articulating policies for IT systems in Word and PDF documents and then going out and validating that systems were provisioned and configured in a manner that aligned with said policies. This is an incredibly tedious, cumbersome, and inefficient way of approaching security.
There’s been a big desire to “shift security left”. This typically refers to bringing security earlier in the software or system development life cycle. Security is often referred to as being bolted-on, rather than baked-in. This traditionally has materialized as delivery delays, increased cost, re-work, tension between Developers and Security, and more. Shifting security left’s benefits include faster delivery, reduced costs, mitigating risks before they reach runtime environments, and more.
With the widespread adoption of IaC, we’re now seeing concurrent adoption of Policy-as-Code (PaC). PaC essentially articulates policies in code, which supports several benefits. These include guardrails for automated verification of activities, codification of organizational security policies, version control, and simply a more effective and efficient method of security policy enforcement. There are several PaC vendors as well as Open Source options for organizations to choose from. Two of the most notable vendors are BridgeCrew and Accurics, which were recently acquired by Palo Alto and Tenable respectively, indicating that large security vendors are seeing the promise as well. There are also OSS options, such as Open Policy Agent which is aligned very well for cloud-native environments. Some of the vendors also have OSS options that are free, and support over 1500+ pre-existing policies you can leverage that run the gamut across some of the most notable compliance standards, such as SOC2, PCI, HIPAA, NIST, and more. So rather than having security and compliance violations identified in runtime environments when infrastructure has been provisioned, you’re able to lean into PaC capabilities and catch these concerns far sooner in the SDLC. There’s also the benefit of being able to run these tools against your production environments as well, which helps catch drift, compliance deviation and ensure you keep your workloads in a “known good” state. This sort of capability simply wasn’t possible in the manual-centric legacy IT environments. Not only is it promising from the security perspective but it also helps bridge the gap of the ever-pervasive security workforce shortage. Technologies such as PaC perform activities at a pace and scale that humans never could.
All of the promises aren’t without peril though either. Since IaC templates can be codified, published, and shared freely, there are countless available in repositories across the web. On the surface this seems incredible, you can just go take them and use them to speed up provisioning your environments and configuring things. Research from vendors such as BridgeCrew and Palo Alto’s Unit 42 has identified that much like OSS code, freely available IaC templates are littered with vulnerable configurations that could put your organization at risk. For this reason, it is key to leverage PaC tooling to ensure the IaC templates you’re putting in place align with your organizational security and compliance requirements as well as vendor best practices on hardened configurations.
The increased codification of IT is leading to innovations that weren’t possible in legacy IT environments. By leveraging PaC you’re able to bake in security requirements, implement guardrails for developers driving business value and speed up time to value for your stakeholders. This is the new paradigm of cybersecurity in cloud-native environments